The answers to the questions your security and procurement teams will ask. Categorised so you can scan, search, and paste into your vendor risk questionnaire.
For anything not covered, email [email protected].
Certifications
Does Hirex hold security certifications?
ISO 27001 is in progress. SOC 2 Type II is planned to follow. We follow ISO 27001 controls in practice while certification is in flight. Our underlying infrastructure providers (AWS, Heroku, Cloudflare) are independently certified across ISO 27001, SOC 2, and GDPR alignment.
When will ISO 27001 be awarded?
We do not publish target dates we cannot guarantee. Progress is tracked internally. The certificate and audit report will be made available under NDA once issued.
Is Hirex GDPR-compliant?
GDPR applies to data controllers and data processors performing certain activities. Hirex acts as a data processor for customer data; we have built the platform to support our customers' GDPR compliance, with a Data Processing Addendum, sub-processor disclosure, transfer safeguards, and the data subject rights features described in our GDPR page.
Hosting and data location
Where is customer data stored?
In AWS Ireland (eu-west-1) via Heroku Platform-as-a-Service. Primary database, file storage, backups, and message queues are all in the EU at rest.
Is data ever transferred outside the EU?
Hosting is EU-only. Some sub-processors (notably the AI model providers OpenAI, Anthropic, Google, and Deepgram) process data in the United States. These transfers are covered by the European Commission's Standard Contractual Clauses and Transfer Impact Assessments documented internally.
What's the legal entity I'm contracting with?
Hirex HR, Inc., a Delaware corporation, 8 The Green STE D, Dover, Delaware 19901, USA.
Infrastructure and reliability
What is Hirex's uptime SLA?
99.5% for the standard tier. Historical uptime is published at status.gethirex.com. Enterprise tier customers can negotiate higher SLAs.
How are systems monitored?
24×7 monitoring via Sentry (errors), Scout APM (performance), BetterStack/Logtail (logs), and Cloudflare (network/WAF). Alerts page on-call engineers.
Is there per-customer infrastructure isolation?
Yes, for enterprise tier. Enterprise customers run on dedicated Heroku application instances, dedicated Postgres databases, dedicated Redis, with IP allowlisting enforced at the Cloudflare WAF. Standard tier customers run on shared infrastructure with logical tenant separation.
How are backups handled?
Heroku Postgres provides continuous protection with point-in-time recovery. S3 storage uses versioning and cross-region replication. Backups are encrypted and segregated from production credentials.
What is the recovery time objective?
RPO of 1 hour and RTO of 4 hours for the standard tier. Tighter SLAs are negotiable for enterprise.
How often is there planned downtime?
None. All deployments are hot-deployed.
Access controls
Who at Hirex can access customer data?
A small number of named engineers have production access on a least-privilege basis. All personnel access requires multi-factor authentication. Customer data is not accessed in routine operations; when access is required to provide support or investigate an incident, it is just-in-time, logged, and reviewed.
Does Hirex support SSO?
Yes. Azure AD / Entra ID, Google Workspace, and any SAML 2.0 identity provider.
Does Hirex support two-factor authentication?
Yes. TOTP-based 2FA can be enabled for any user.
Does Hirex support SCIM user provisioning?
Yes, on enterprise tier.
What role-based access controls exist?
Customers can define unlimited role profiles, with granular permissions and visibility settings. Per-user overrides are supported.
Are audit logs available to customers?
Yes. A comprehensive audit log of actions in the tenant is accessible to customer administrators.
Encryption
How is data encrypted in transit?
TLS 1.2 and TLS 1.3 with HTTP-to-HTTPS automatic redirect. Internal service-to-service traffic on Heroku is also TLS-secured. Redis connections require TLS.
How is data encrypted at rest?
AES-256 for Postgres, S3, and Heroku-managed backups.
How are encryption keys managed?
Through the underlying cloud provider's key management system (AWS KMS via Heroku's managed infrastructure). Keys are rotated according to AWS and Heroku key management practice.
Secure development
Does Hirex follow secure development practices?
Yes. We maintain a documented Secure Development Policy aligned with OWASP Top 10. Every code change is reviewed before merge. Static Application Security Testing (SAST) and dependency scanning run in our CI/CD pipeline. Automated tests must pass before deployment.
Does Hirex conduct penetration tests?
Yes, annually, by a qualified third party. Findings are tracked to remediation.
Does Hirex have a vulnerability disclosure programme?
Yes. Researchers can report findings to [email protected]. We commit to non-retaliation for good-faith disclosure.
Incident response
Does Hirex have an incident response plan?
Yes. Our documented Incident Response Policy defines severity classifications, escalation paths, internal and customer communication procedures, and post-incident review.
Will I be notified of a data breach?
Yes. We notify affected customers without undue delay and in any event within 72 hours of becoming aware. The notification includes nature, scope, likely consequences, and mitigation measures. See clause 9 of our Data Processing Addendum.
How are major incidents communicated?
Via status.gethirex.com and direct customer notification for incidents affecting specific tenants.
Data ownership and deletion
Who owns the data we store in Hirex?
You do. You retain full ownership and control of the data submitted to the platform by your team and your candidates.
Can I export my data?
Yes, at any time, in machine-readable formats (CSV via the application UI, JSON via the API).
What happens to my data at the end of the contract?
At your election, we either return or delete your data. Deletion follows the NIST SP 800-88 secure data destruction standard: within 15 days from production, within 45 days from backups.
Can I configure data retention while the contract is active?
Yes. Retention rules are configurable per region, per pipeline, and per candidate status.
Sub-processors
What third parties does Hirex share customer data with?
The complete sub-processor list is at /trust/sub-processors. Major categories include hosting (AWS, Heroku), AI providers (OpenAI, Anthropic, Google, Deepgram), email delivery (Mailgun), and operational tooling (Sentry, PostHog, etc.).
Will I be notified before a sub-processor is added?
Yes. At least 30 days' advance notice is given for any new sub-processor that processes customer data. Customers may object during the notice period.
How do you ensure sub-processors meet GDPR standards?
Each sub-processor is bound by a written data processing agreement that imposes equivalent protections. For transfers outside the EEA, Standard Contractual Clauses are in place.
AI
What AI features does Hirex provide?
CV parsing (Gemini), match scoring (OpenAI, Anthropic), evaluation summaries and content generation (OpenAI, Anthropic), one-way video interview transcription (Deepgram), candidate sourcing (Exa). See /trust/ai for detail.
Is customer data used to train AI models?
No. All four AI providers contractually do not use customer data to train their models. Where the provider supports it, we operate on zero-retention enterprise tiers.
Does Hirex make automated decisions about candidates?
No. We do not make solely automated decisions within the meaning of GDPR Article 22. All AI outputs inform human decisions only.
Does Hirex automatically reject candidates?
No. Every rejection in the platform requires an explicit human action.
Is the AI tested for bias?
The Services include anonymised screening features that customers can enable. We do not infer protected characteristics from CV content for use in scoring. Customers operating under bias-audit regimes (NYC AEDT, Colorado AI Act, similar) receive the technical documentation needed to commission their own audits.
What's Hirex's posture on the EU AI Act?
Hirex's CV scoring and interview analysis is classified as high-risk under Annex III §4 (employment). We are working toward the provider obligations that apply from 2 August 2026. See /trust/ai.
Customer access controls
Can I limit which Hirex staff access my data?
For enterprise customers using just-in-time access, you can grant named members of our support team temporary access to your tenant via the UI. Access is logged, automatically revoked after 24 hours, and revocable by you at any time.
Can I restrict my Hirex tenant by IP?
Yes, on enterprise tier, IP allowlisting is enforced at the Cloudflare WAF.
Compliance with specific frameworks
Are you HIPAA-compliant?
Hirex is not currently a HIPAA-covered entity or business associate. The platform is not designed for the processing of Protected Health Information. Do not use Hirex to process PHI.
Are you PCI-DSS-compliant?
Payment data is handled by Stripe, which is PCI-DSS Level 1 certified. Hirex does not store full card numbers.
Do you support KVKK (Türkiye)?
Yes. Customers operating under KVKK can configure region-specific retention and consent capture for Turkish candidates. The platform supports Turkish-language consent notices.
Contracting
Do you have a Data Processing Addendum?
Yes. Our DPA is incorporated by reference into our Terms of Service. A copy is at /trust/dpa.
Can we negotiate custom terms?
For enterprise customers, yes. Contact your account team.
Do you sign Business Associate Agreements?
No. Hirex is not designed for HIPAA-regulated data and does not sign BAAs.
Anything else?
- Security questions: [email protected]
- Privacy questions: [email protected]
- Data Protection Officer: [email protected], Burak Yılmaz
- Vulnerability reports: [email protected]
